Spring安全-由于CSRF而拒绝访问
我正在使用spring security开发一个网站,我有一个不安全的页面,“product/58”,其中我有以下表格:Spring安全-由于CSRF而拒绝访问,spring,spring-security,csrf,Spring,Spring Security,Csrf,我正在使用spring security开发一个网站,我有一个不安全的页面,“product/58”,其中我有以下表格: <form:form name="offerForm" id="offer" modelAttribute="offerProposal" action="/product/make/offer/" method="post" enctype="multipart/form-data"> <input type="hidden" name="${_
<form:form name="offerForm" id="offer" modelAttribute="offerProposal" action="/product/make/offer/" method="post" enctype="multipart/form-data">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
<form:input path="minPrice"/>
</form:form>
spring安全配置如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<http pattern="/resources/css" security="none" />
<http pattern="/resources/images" security="none" />
<http pattern="/resources/js" security="none" />
<global-method-security secured-annotations="enabled" />
<beans:bean id="ajaxAwareLoginUrlAuthenticationEntryPoint" class="com.projectx.standard.app.handler.AjaxAwareLoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login/" />
</beans:bean>
<http use-expressions="true" disable-url-rewriting="true" entry-point-ref="ajaxAwareLoginUrlAuthenticationEntryPoint">
<access-denied-handler error-page="/accessDenied/" />
<session-management>
<concurrency-control expired-url="/login/" />
</session-management>
<logout logout-success-url="/" invalidate-session="true" logout-url="/logout" />
<intercept-url pattern="/favicon.ico" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/robots.txt" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/product/make/offer/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="permitAll"
requires-channel="https" />
<!-- Set the login page and what to do if login fails -->
<form-login login-page="/login/"
authentication-failure-handler-ref="customAuthenticationFailureHandler"
authentication-success-handler-ref="customAuthenticationSuccessHandler"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
always-use-default-target="false" />
<remember-me data-source-ref="dataSource"
remember-me-parameter="_spring_security_remember_me"
remember-me-cookie="SPRING_SECURITY_REMEMBER_ME_COOKIE" />
</http>
<beans:bean id="customAuthenticationSuccessHandler"
class="com.projectx.standard.app.handler.CustomAuthenticationSuccessHandler" />
<beans:bean id="customAuthenticationFailureHandler"
class="com.projectx.standard.app.handler.CustomAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login/?error=true" />
</beans:bean>
<!-- Use a BCryptPasswordEncoder encoder since the user's passwords are
stored as BCryptPasswordEncoder in the database -->
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<authentication-manager>
<authentication-provider user-service-ref="loginService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans>
这看起来像CSRF,但表单作为令牌。我能做些什么来解决这个问题
谢谢我想明白了。。。如果我将?${u csrf.parameterName}=${{u csrf.token}添加到表单操作中,那么一切都正常 我不知道这是否是最好的方法,但它是有效的
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<http pattern="/resources/css" security="none" />
<http pattern="/resources/images" security="none" />
<http pattern="/resources/js" security="none" />
<global-method-security secured-annotations="enabled" />
<beans:bean id="ajaxAwareLoginUrlAuthenticationEntryPoint" class="com.projectx.standard.app.handler.AjaxAwareLoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login/" />
</beans:bean>
<http use-expressions="true" disable-url-rewriting="true" entry-point-ref="ajaxAwareLoginUrlAuthenticationEntryPoint">
<access-denied-handler error-page="/accessDenied/" />
<session-management>
<concurrency-control expired-url="/login/" />
</session-management>
<logout logout-success-url="/" invalidate-session="true" logout-url="/logout" />
<intercept-url pattern="/favicon.ico" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/robots.txt" access="permitAll"
requires-channel="https" />
<intercept-url pattern="/product/make/offer/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/**" access="permitAll"
requires-channel="https" />
<!-- Set the login page and what to do if login fails -->
<form-login login-page="/login/"
authentication-failure-handler-ref="customAuthenticationFailureHandler"
authentication-success-handler-ref="customAuthenticationSuccessHandler"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
always-use-default-target="false" />
<remember-me data-source-ref="dataSource"
remember-me-parameter="_spring_security_remember_me"
remember-me-cookie="SPRING_SECURITY_REMEMBER_ME_COOKIE" />
</http>
<beans:bean id="customAuthenticationSuccessHandler"
class="com.projectx.standard.app.handler.CustomAuthenticationSuccessHandler" />
<beans:bean id="customAuthenticationFailureHandler"
class="com.projectx.standard.app.handler.CustomAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login/?error=true" />
</beans:bean>
<!-- Use a BCryptPasswordEncoder encoder since the user's passwords are
stored as BCryptPasswordEncoder in the database -->
<beans:bean id="passwordEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<authentication-manager>
<authentication-provider user-service-ref="loginService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
</beans:beans>